Packages changed: ima-evm-utils (1.1 -> 1.2.1) kernel-default-base (5.2.7 -> 5.2.8) kernel-source (5.2.7 -> 5.2.8) libseccomp open-vm-tools === Details === ==== ima-evm-utils ==== Version update (1.1 -> 1.2.1) - Update to version 1.2.1 (included changes of unreleased v1.2) version 1.2 new features: * Generate EVM signatures based on the specified hash algorithm * include "security.apparmor" in EVM signature * Add support for writing & verifying "user.xxxx" xattrs for testing * Support Strebog/Gost hash functions * Add OpenSSL engine support * Use of EVP_PKEY OpenSSL API to generate/verify v2 signatures * Support verifying multiple signatures at once * Support new template "buf" field and warn about other unknown fields * Improve OpenSSL error reporting * Support reading TPM 2.0 PCRs using tsspcrread Bug fixes and code cleanup: * Update manpage stylesheet detection * Fix xattr.h include file * On error when reading TPM PCRs, don't log gargabe * Properly return keyid string to calc_keyid_v1/v2 callers, caused by limiting keyid output to verbose mode * Fix hash buffer overflow caused by EVM support for larger hashes, defined MAX_DIGEST_SIZE and MAX_SIGNATURE_SIZE, and added "asserts". * Linked with libcrypto instead of OpenSSL * Updated Autotools, replacing INCLUDES with AM_CPPFLAGS * Include new "hash-info.gen" in tar * Log the hash algorithm, not just the hash value * Fixed memory leaks in: EV_MD_CTX, init_public_keys * Fixed other warnings/bugs discovered by clang, coverity * Remove indirect calls in verify_hash() to improve code readability * Don't fallback to using sha1 * Namespace some too generic object names * Make functions/arrays static if possible - Upstream bumped soname to 1.0.0 in v1.2 - Drop ima-evm-utils-xattr.patch and ima-evm-utils-fix-docbook-xsl-directory.patch (included in v1.2) ==== kernel-default-base ==== Version update (5.2.7 -> 5.2.8) - Shorten module list by using wildcards. ==== kernel-source ==== Version update (5.2.7 -> 5.2.8) Subpackages: kernel-debug kernel-default - Linux 5.2.8 (bnc#1012628). - scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure (bnc#1012628). - libnvdimm/bus: Prepare the nd_ioctl() path to be re-entrant (bnc#1012628). - libnvdimm/bus: Fix wait_nvdimm_bus_probe_idle() ABBA deadlock (bnc#1012628). - ALSA: usb-audio: Sanity checks for each pipe and EP types (bnc#1012628). - ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check (bnc#1012628). - HID: wacom: fix bit shift for Cintiq Companion 2 (bnc#1012628). - HID: Add quirk for HP X1200 PIXART OEM mouse (bnc#1012628). - atm: iphase: Fix Spectre v1 vulnerability (bnc#1012628). - bnx2x: Disable multi-cos feature (bnc#1012628). - drivers/net/ethernet/marvell/mvmdio.c: Fix non OF case (bnc#1012628). - ife: error out when nla attributes are empty (bnc#1012628). - ip6_gre: reload ipv6h in prepare_ip6gre_xmit_ipv6 (bnc#1012628). - ip6_tunnel: fix possible use-after-free on xmit (bnc#1012628). - ipip: validate header length in ipip_tunnel_xmit (bnc#1012628). - mlxsw: spectrum: Fix error path in mlxsw_sp_module_init() (bnc#1012628). - mvpp2: fix panic on module removal (bnc#1012628). - mvpp2: refactor MTU change code (bnc#1012628). - net: bridge: delete local fdb on device init failure (bnc#1012628). - net: bridge: mcast: don't delete permanent entries when fast leave is enabled (bnc#1012628). - net: bridge: move default pvid init/deinit to NETDEV_REGISTER/UNREGISTER (bnc#1012628). - net: fix ifindex collision during namespace removal (bnc#1012628). - net/mlx5e: always initialize frag->last_in_page (bnc#1012628). - net/mlx5: Use reversed order when unregister devices (bnc#1012628). - net: phy: fixed_phy: print gpio error only if gpio node is present (bnc#1012628). - net: phylink: don't start and stop SGMII PHYs in SFP modules twice (bnc#1012628). - net: phylink: Fix flow control for fixed-link (bnc#1012628). - net: phy: mscc: initialize stats array (bnc#1012628). - net: qualcomm: rmnet: Fix incorrect UL checksum offload logic (bnc#1012628). - net: sched: Fix a possible null-pointer dereference in dequeue_func() (bnc#1012628). - net sched: update vlan action for batched events operations (bnc#1012628). - net: sched: use temporary variable for actions indexes (bnc#1012628). - net/smc: do not schedule tx_work in SMC_CLOSED state (bnc#1012628). - net: stmmac: Use netif_tx_napi_add() for TX polling function (bnc#1012628). - NFC: nfcmrvl: fix gpio-handling regression (bnc#1012628). - ocelot: Cancel delayed work before wq destruction (bnc#1012628). - tipc: compat: allow tipc commands without arguments (bnc#1012628). - tipc: fix unitilized skb list crash (bnc#1012628). - tun: mark small packets as owned by the tap sock (bnc#1012628). - net/mlx5: Fix modify_cq_in alignment (bnc#1012628). - net/mlx5e: Prevent encap flow counter update async to user query (bnc#1012628). - r8169: don't use MSI before RTL8168d (bnc#1012628). - bpf: fix XDP vlan selftests test_xdp_vlan.sh (bnc#1012628). - selftests/bpf: add wrapper scripts for test_xdp_vlan.sh (bnc#1012628). - selftests/bpf: reduce time to execute test_xdp_vlan.sh (bnc#1012628). - net: fix bpf_xdp_adjust_head regression for generic-XDP (bnc#1012628). - hv_sock: Fix hang when a connection is closed (bnc#1012628). - net: phy: fix race in genphy_update_link (bnc#1012628). - net/smc: avoid fallback in case of non-blocking connect (bnc#1012628). - rocker: fix memory leaks of fib_work on two error return paths (bnc#1012628). - mlxsw: spectrum_buffers: Further reduce pool size on Spectrum-2 (bnc#1012628). - net/mlx5: Add missing RDMA_RX capabilities (bnc#1012628). - net/mlx5e: Fix matching of speed to PRM link modes (bnc#1012628). - compat_ioctl: pppoe: fix PPPOEIOCSFWD handling (bnc#1012628). - Revert "mac80211: set NETIF_F_LLTX when using intermediate tx queues" (bnc#1012628). - spi: bcm2835: Fix 3-wire mode if DMA is enabled (bnc#1012628). - commit bf37e83 - Use the upstream patch. (Including the tags.) - commit 5dd5b2d - s390: enable detection of kernel version from bzImage (bnc#1139939). - commit 8434c05 - drm/i915/vbt: Fix VBT parsing for the PSR section (bsc#1143139). - commit 0bef772 - rpm/kernel-binary.spec.in: support partial rt debug config. - commit af37821 ==== libseccomp ==== - ignore make check error for ppc64/ppc64le, bypass boo#1142614 ==== open-vm-tools ==== Subpackages: libvmtools0 - Revert change from (bsc#1133623) update vmtoolsd.service tools to run after the network service is ready. This updated caused cyclic dependencies as reported by bugs (bsc#1143452) and (bsc#1141969)